proxy

package

v0.0.0-...-8194a93 Latest Latest Go to latest Published: Dec 9, 2016 License: MIT Imports: 22 Imported by: 0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/codeactual/ec2metaproxy

Documentation ¶

Index ¶

Constants
func RequestID(h http.Handler) http.Handler
type Config
- func NewConfigFromFlag() (c Config, err error)
type ContainerInfo
type ContainerService
type DockerContainerService
- func NewDockerContainerService(config Config, logger *log.Logger) (*DockerContainerService, error)
- func (d *DockerContainerService) ContainerForIP(ctx context.Context, containerIP string) (ContainerInfo, error)
- func (d *DockerContainerService) TypeName() string
type MetadataCredentials
type Proxy
- func New(config Config, httpClient http.RoundTripper, stsSvc stsiface.STSAPI, ...) (*Proxy, error)
type RoleARN
- func NewRoleARN(value string) (RoleARN, error)

Examples ¶

New

Constants ¶

View Source

const (
	// MetadataURL is used if the JSON config file does not override it.
	MetadataURL = "http://169.254.169.254"
	// RoleLabelKey identifies the docker metadata string that holds a role alias.
	// The alias corresponds to the alias-to-ARN mapping in the JSON config file.
	RoleLabelKey = "ec2metaproxy.RoleAlias"
	// PolicyLabelKey identifies the docker metadata string that holds a JSON IAM
	// policy used in the AssumeRole operation.
	PolicyLabelKey = "ec2metaproxy.Policy"
)

Variables ¶

This section is empty.

Functions ¶

func RequestID ¶

func RequestID(h http.Handler) http.Handler

RequestID is a middleware that injects a request ID into the context of each request. A request ID is a string of the form "host.example.com/random-0001", where "random" is a base62 random string that uniquely identifies this go process, and where the last number is an atomically incremented request counter.

Types ¶

type Config ¶

type Config struct {
	// AliasToARN maps human-friendly names to IAM ARNs.
	AliasToARN map[string]string `json:"aliasToARN"`
	// DefaultAlias is a AliasToARN key to select the default role for containers whose
	// metadata does not specify one.
	DefaultAlias string `json:"defaultAlias"`
	// DefaultPolicy restricts the effective role's permissions to the intersection of
	// the role's policy and this JSON policy.
	DefaultPolicy string `json:"defaultPolicy"`
	// DockerHost is a valid DOCKER_HOST string.
	DockerHost string `json:"dockerHost"`
	// ListenAddr is a TCP network address.
	ListenAddr string `json:"listen"`
	// Verbose enables request/response logging to standard out.
	Verbose bool
}

Config describes the JSON config file selected via `-config` flag.

func NewConfigFromFlag ¶

func NewConfigFromFlag() (c Config, err error)

NewConfigFromFlag constructs a new Config from the JSON file obtained via `-config` CLI flag. It also validates the unmarshaled Config fields.

type ContainerInfo ¶

type ContainerInfo struct {
	ID        string
	Name      string
	IamRole   RoleARN
	IamPolicy string
}

ContainerInfo can identify a specific container and its IAM role/policy.

type ContainerService ¶

type ContainerService interface {
	ContainerForIP(ctx context.Context, containerIP string) (ContainerInfo, error)
	TypeName() string
}

ContainerService implementations provide ContainerInfo.

type DockerContainerService ¶

type DockerContainerService struct {
	// contains filtered or unexported fields
}

DockerContainerService queries the Docker daemon and maintains a mapping of IPs to container details.

func NewDockerContainerService ¶

func NewDockerContainerService(config Config, logger *log.Logger) (*DockerContainerService, error)

NewDockerContainerService creates a Docker specific ContainerService implementation.

func (*DockerContainerService) ContainerForIP ¶

func (d *DockerContainerService) ContainerForIP(ctx context.Context, containerIP string) (ContainerInfo, error)

ContainerForIP implements a ContainerService method.

If ContainerInfo exists in the cache, keyed by the container IP, then it is returned. Otherwise syncContainer is used to collect fresh ContainerInfo from the docker API.

func (*DockerContainerService) TypeName ¶

func (d *DockerContainerService) TypeName() string

TypeName implements a ContainerService method.

type MetadataCredentials ¶

type MetadataCredentials struct {
	Code            string
	LastUpdated     time.Time
	Type            string
	AccessKeyID     string `json:"AccessKeyId"`
	SecretAccessKey string
	Token           string
	Expiration      time.Time
}

MetadataCredentials fields are returned in HTTP responses as JSON.

type Proxy ¶

type Proxy struct {
	// contains filtered or unexported fields
}

Proxy provides HTTP handlers for responding to container requests and mediates requests to the real upstream metadata service. Its mediation duties also include mapping containers to the roles identified in their (docker) metadata, caching of container/credential information, and (optional) operational logging.

func New ¶

func New(config Config, httpClient http.RoundTripper, stsSvc stsiface.STSAPI, containerSvc ContainerService, logger *log.Logger) (*Proxy, error)

New creates a Proxy instance using the given configuration.

Example ¶

package main

import (
	"log"
	"net/http"
	"os"

	"github.com/aws/aws-sdk-go/aws/session"
	"github.com/aws/aws-sdk-go/service/sts"
	"github.com/codeactual/ec2metaproxy/proxy"
)

func main() {
	config, configErr := proxy.NewConfigFromFlag()
	if configErr != nil {
		log.Fatalf("Error reading configuration from flag/file: %+v", configErr)
	}

	logger := log.New(os.Stdout, "ec2metaproxy ", log.LstdFlags|log.LUTC)

	containerSvc, dockerErr := proxy.NewDockerContainerService(config, logger)
	if dockerErr != nil {
		log.Fatalf("Error creating Docker service: %+v", dockerErr)
	}

	p, initErr := proxy.New(config, &http.Transport{}, sts.New(session.New()), containerSvc, logger)
	if initErr != nil {
		log.Fatalf("Error creating proxy: %+v", initErr)
	}

	http.Handle("/", proxy.RequestID(p))
	logger.Fatal(p.Listen())
}

Output:

func (*Proxy) HandleCredentials ¶

func (p *Proxy) HandleCredentials(baseURL, apiVersion, subpath string, c *credentialsProvider, w http.ResponseWriter, r *http.Request)

HandleCredentials responds to credentials requests identified in ServeHTTP.

func (*Proxy) Listen ¶

func (p *Proxy) Listen() error

Listen listens on the TCP address defined in the config file.

func (*Proxy) ServeHTTP ¶

func (p *Proxy) ServeHTTP(w http.ResponseWriter, r *http.Request)

ServeHTTP can be used to handle "/" requests and will delegate to HandleCredentials to produce a response.

type RoleARN ¶

type RoleARN struct {
	// contains filtered or unexported fields
}

RoleARN holds parsed ARN sections.

func NewRoleARN ¶

func NewRoleARN(value string) (RoleARN, error)

NewRoleARN creates a new instance by parsing a full ARN string.

func (RoleARN) AccountID ¶

func (r RoleARN) AccountID() string

AccountID returns the numerical ID.

func (RoleARN) Empty ¶

func (r RoleARN) Empty() bool

Empty returns true if the struct is uninitialized.

func (RoleARN) Equals ¶

func (r RoleARN) Equals(other RoleARN) bool

Equals returns true if the other struct represents the same ARN.

func (RoleARN) Path ¶

func (r RoleARN) Path() string

Path returns the resource path including the trailing RoleName.

func (RoleARN) RoleName ¶

func (r RoleARN) RoleName() string

RoleName returns the "friendly" name, the ARN suffix.

func (RoleARN) String ¶

func (r RoleARN) String() string

String returns the original, unparsed ARN.

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL